Most of these facts are not surprising; for example people are still bleating on about ‘cloud’ as if it were something new and the gender disparity is huge. With that said there are some interesting facts such as the overall sentiment was a meagre 0.18 out of 100 with the lowest and highest sentiment of -20 and +8 respectively.

Additionally it would appear that those discussing managed hosting are not really making an impact in social media circles as out of 66,363 interactions over 24 hours the highest Klout score was only 18.

I tried putting some of this data (and other meta data such as top avatars, most retweeted etc) into some form of infographic, I’m not a UX person or an artist so if you don’t like it / it’s an abominable crime against infographics you have been warned;

Most Networks consist of a LAN and a WAN segment, unfortunately due to my previous IPv6 work and the inherant nature of IPv6 the LAN also has public Global Unicast addresses secured via rather crude RRAS filters. To increase the security of the LAN I need a firewall with seperate IPv4 and a IPv6 interfaces and a dual stack LAN interface.


interface Vlan1
nameif DualStack_Internal
security-level 100
ip address 172.16.0.2 255.255.255.192
ipv6 address 2a01:XXX:18e:4::1/64
ipv6 address autoconfig
ipv6 enable
ipv6 nd ra-interval 10
!
interface Vlan2
nameif IPv4_WAN
security-level 0
ip address 78.XXX.XXX.198 255.255.240.0
ipv6 address autoconfig
ipv6 enable
!
interface Vlan12
no forward interface Vlan2
nameif IPv6_WAN
security-level 50
no ip address
ipv6 address 2a01:XXX:18e:2::2/64
ipv6 address autoconfig
ipv6 enable
ipv6 nd ns-interval 2000
ipv6 nd suppress-ra


To ensure that hosts on the LAN can reach the outside world the IPv6 network needs a route and the IPv4 network needs NAT:

ipv6 route IPv6_WAN ::/0 2a01:XXX:18e:2::1
global (IPv4_WAN) 1 interface
nat (DualStack_Internal) 1 172.16.0.0 255.255.255.192
route IPv4_WAN 0.0.0.0 0.0.0.0 78.XXX.XXX.1 2


I’ve allocated Global Unicast addresses to the interfaces but this may not neccessarily be required as “Link-Local” addresses next hop addresses when routing but the output is as follows;

DualStack_Internal is up, line protocol is up
IPv6 is enabled, link-local address is fe80::222:55ff:fe2a:a42c
Global unicast address(es):
2a01:XXX:18e:4::1, subnet is 2a01:XXX:18e:4::/64
Joined group address(es):
ff02::1
ff02::2
ff02::1:ff00:1
ff02::1:ff2a:a42c
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 1000 milliseconds
ND router advertisements are sent every 10 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses.
!
IPv6_WAN is up, line protocol is up
IPv6 is enabled, link-local address is fe80::222:55ff:fe2a:a42c
Global unicast address(es):
2a01:XXX:18e:2::2, subnet is 2a01:XXX:18e:2::/64
Joined group address(es):
ff02::1
ff02::2
ff02::1:ff00:2
ff02::1:ff2a:a42c
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
Hosts use stateless autoconfig for addresses.


With Router Advertisements enabled the IPv6 enabled hosts on the LAN had already acquired an IPv6 address and were already utilising the link;

Traffic Statistics for "IPv6_WAN":
27944 packets input, 28710029 bytes
14333 packets output, 1017380 bytes
5354 packets dropped
1 minute input rate 181 pkts/sec, 232507 bytes/sec
1 minute output rate 96 pkts/sec, 5989 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 2 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec


On a side note it looks like Google has moved http://ipv6.google.com away from the address it was when I was doing this testing last year from 2001:4860:0:1001::68 to 2a00:1450:8002::67.

Weirdness.

Now that IPv6 is enabled by default in all of the OS’s I use in my home (Fedora, Windows 2008 & Windows 7) I decided to go back and check my traffic graphs and the results surprised me.

There was a spike in Oct ’08 when I was first experimenting with IPv6 and visiting as many native IPv6 sites as I could and then it tailed off as one would expect. Interestingly the traffic started to pick up again in July of 2009 and in the 2 years of having IPv6 Internet connectivity I’ve pulled over 364Gb of traffic!

Looking at this year on it’s own shows a pretty consistent amount of throughput;

I’ll try and profile the traffic and work out what or who has adopted IPv6 so well that I can do so much without even realising it.

The first thing we need to do is install the pre-requisites via a privileged PowerShell;

Import-Module ServerManager
Add-WindowsFeature NET-Framework,RSAT-ADDS,ADLDS -Restart
















Once the machine has restarted you will need to ensure you set the machine name and a DNS suffix.

Assuming the checks all work you can click install and off you go;















Once all is installed the next step is to prepare a config bundle / auth package (I can’t quite remember what Microsoft call it) by issuing the following command in the EMS on the Edge server;
New-EdgeSubscription -FileName "C:\EdgeSubscriptionInfo.xml"

With that done you can either attempt to import the file via the EMS on a Hub Transport server or utilise the EMC. I chose the EMC as I kept on running into syntax errors and I was being impatient;















Unfortunately I hit an issue which was probably due to a very poor choice of mine in transfering the file. A quick rethink of moving the file and the Edge Synchronisation was complete;















The dialog shows a warning claiming the port 50636 needs to be available and the host be contactable, I checked with telnet and all was OK. So maybe the warning icon was just to draw my attention to it.

Once that is done simply issue the command;

Start-EdgeSynchronization

Unfortunately within minutes of me adding this server as a secondary MX I received a spam message which wasn’t very fun;

Return-Path: XXXXXXXXXX@yahoo.com
X-MS-Exchange-Organization-PRD: yahoo.com
Received-SPF: None (XXX-XXXX-XX.networksaremadeofstring.co.uk: XXXXXXXXXX@yahoo.com does not designate permitted sender hosts)
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus None;OrigIP:195.XXX.XXX.122
X-MS-Exchange-Organization-SCL: 5
X-MS-Exchange-Organization-SenderIdResult: NONE
X-MS-Exchange-Organization-AuthSource: XXX-XXXX-XX.networksaremadeofstring.co.uk
X-MS-Exchange-Organization-AuthAs: Anonymous

The core of this setup was a series of 3G Modems linked up with 3G to ethernet devices such as the Solwise NET-3G-3GWIFIMRW.

These were backed off onto a server running Squid and BIND with DHCP containing all the relevant proxy auto config data (plus some IPTables magic for those that didn’t play nice).

Couple this with three Access points with 8db omni’s spread about to acheive maximum coverage I was pleased to see that at one point the network was sustaining over 8mbit/s of throughput!

There was a lot of web browsing, I was streaming spotify, people were blogging and tweeting and despite the heat it all stayed alive.

Next time I’ll be doing it without mains power either so mount up the UPS’s and gas the generators!

This is extremely easy to do but I haven’t posted anything in a while so I thought I’d document the process.

To start just load up the Programs and Features section of Control Panel, choose Exchange and select Uninstall.















The first screen is utterly pointless

At the next screen you need to deselect the options you no longer require. Ideally as I’m Uninstalling and not Modifying the installation I’d have thought you’d select that which you want to remove.






























Clicking next will start the uninstall process

Unfortunately even though this machine wasn’t actually doing anything there was still a connector that used this server as a source transport server so the uninstall of the Hub Transport Role failed.















To resolve this all you need to do is load up the Exchange 2010 Management console, navigate to the Hub Transport role within the Organisation Configuration and in the Send Connectors tab remove the Connector that uses the server as a source.















Running the uninstaller again allows all the Readiness Checks to pass















Nearly 2 hours later (This machine had virtually no RAM as I’d allocated it elsewhere) the uninstall completed















Easy as anything.

A base copy of Windows Server 2008 (non R2) will have the following pre-requisites;

.Net 3.5 (SP1)
PowerShell 2.0
Office 2007 System Converter Filter Pack

Once these are installed you will need to wield ServerManagerCmd and get some other things installed;

ServerManagerCmd -i RSAT-ADDS
ServerManagerCmd -i Web-Server
ServerManagerCmd -i Web-ISAPI-Ext
ServerManagerCmd -i Web-Metabase
ServerManagerCmd -i Web-Lgcy-Mgmt-Console
ServerManagerCmd -i Web-Basic-Auth
ServerManagerCmd -i Web-Digest-Auth
ServerManagerCmd -i Web-Windows-Auth
ServerManagerCmd -i Web-Dyn-Compression
ServerManagerCmd -i Web-Net-Ext
ServerManagerCmd -i NET-WIN-CFAC

This went exceptionally smoothly and then it was time to run the Exchange 2010 setup.

Unfortunately it threw an error regarding the Net.Tcp Port Sharing service needing to be set to automatic;



















To fix this just set the service to auto start;
sc config NetTcpPortSharing start= auto

A quick retry of the Readiness checks came back with a clean bill of health and we are good to go!

Just over half an hour later Exchange 2010 is installed and ready to go!



















Since my last post regarding Exchange I’ve been using the Active Directory Certification Services to handle all my SSL stuff which worked lovely with IIS7 and Exchange 2010 so there was no need to do any of the crazy private key recovery stuff as we did with Exchange 2007.

A full install and even a test mailbox migration in just over an hour, not bad.

I moved to a shiny ‘new build’ flat a year or so ago and unfortunately my old Compaq 9000 Rack Cabinet wouldn’t have fitted up the stair case :/ so I bought a nice flat pack 28u Rack Cabinet and set about virtualising all my legacy stuff.

VM Hosts

Using the 2 S411 cases I already had I installed;
2x ASUS P5B-VM
2x Intel Core 2 Quad Q6600
8x Corsair 4GB DDR2 800MHz/PC2-6400 XMS2
2x Hiper 880W 85% Efficient PSU
4x Adaptec 1430SA 4Port PCI Express SATA II RAID Card
16x Western Digital Caviar Blue WD5000AAKS 500Gb SATA II Disk Drives
2x Plexus MV 1200VA UPS

Because I wanted performance at cheaply as possible I had to use HyperV instead of ESXi because all the hardware I had chosen worked flawlessly in Windows Server 2008 but is obviously unsupported in ESXi.

I upgraded my workstation at the same time but that was basically the same other than the motherboard ( ASUS P5N-D ) and two XFX 9800GTX+ 765MHz Edition graphics cards.

I didn’t bother with any P2V stuff as the old VM’s / physicals were a mix of Windows Server 2003 and CentOS 5.2.

Networks

I’d recently moved to Be* Internet and had ordered 16 IP’s (to go with my /48 IPv6 subnet) I had to split the Network off using 2 physical firewalls (a Cisco Pix 501 and a Netscreen NS5GT). Eventually I’ll probably replace one of them with a Cisco ASA 5505 Security Pack to do the multiple subinterface VLAN stuff but at £600 still I can live without it!.

The 3Com SuperStack 3 4400 proved itself a good investment yet again allowing me to VLAN off the internet facing VM’s from my internal ones using HyperV’s VLAN tagging config.

The Cisco 2600 router coupled with a Windows 2008 VM sorted out the IPv6 Network again.

All in all it was a pretty painless process and to the point of this post, pictures;

The Old Kit

All the old kit was either FreeCycled or otherwise donated to those who would benefit from DL380′s, switches, Fibre/Ethernet converters etc etc.

The saddest thing was smashing 5Tb of 300Gb / 250Gb / 160Gb / 80Gb / 40Gb disks into powder.

Cross Forest trusts are a possibility and merging one with the other (i.e having the Hosted Exchange solution bound to the existing domain) is another but there are many issues with that (mostly political).

What I intend to do is utilise the ‘Branch office’ concept that Read Only Domain Controllers were designed for to mock up a solution for Hosting the entire AD infrastructure remotely and having R/O DC’s on the customer premises.

What now?

For no other reason than that of satisifying my curiosity I built an entire AD infrastructure hosted at the data center and then had a remote ‘office’ running for a day without a local DC and then the following day with a Read Only Domain Controller sitting there.

There’s nothing new or crazy here other than maybe the fact that most people move bits of their AD infrastructure to the DC when its bandwidth requirements overwhelm their resources. What I’m playing with is the idea of having everything remote and only putting the stuff you need (NAS etc) in the office.

The Test

In the Red Corner we have a full Active Directory and Exchange infrastructure at the DC and then the ‘offices’ were built using a few Terminal Services servers running a respective amounts of users. The idea is to monitor traffic before dropping in a RO DC and then again afterwards.

The Infrastructure

Hosted Infrastructure

The Hosted infrastructure consists of a relatively standard Exchange 2007 deployment (if you follow the guidelines) visible to the world (selected ports only) is an Edge Transport server for handling the initial mail connections and the Client Access Server. Behind those is the Mailbox and Hub Transport (in reality these were on the same box but the diagram wasn’t as symmetrical then!).


The Domain controller is a special case because whilst we have no reason for the Internet at large to talk to it we need the read only Domain Controller at the client site to be able to communicate with it so an IPSEC LAN to LAN VPN was required.

The Results

AD Traffic From the TS to the Remote DC No Local DC

AD Traffic to the Remote DC with Local RODC

OWA Traffic During the Tests

Scripted behavior – so it was the same(ish) on both days

Conclusion

Well it did exactly what I expected it to do so nothing ground breaking there. It was interesting to see the spike just after I logged all the fake users off the Terminal Servers.

R/O DC’s were used because in an ideal world customers shouldn’t have write access to an AD infrastructure that a SysAdmin has an SLA to honor!